Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to group by a field and display multiple fields

andytangjpmc
New Member
‎09-24-2019 11:52 AM

I have trace, level, and message fields in my events. I want to group by trace, and I also want to display all other fields. I'm having issues with multiple fields lining up when they have different amount of lines.

Here's what I want:

+--------+-------+----------+
| trace1 | INFO  | Message1 |
|        |       | Line2    |
|        +-------+----------+
|        | DEBUG | Message2 |
|        +-------+----------+
|        | DEBUG | Message3 |
+--------+-------+----------+

But I end up with results like this:

+--------+-------+----------+
| trace1 | INFO  | Message1 |
|        +-------+ Line2    |
|        | DEBUG |          |
|        +-------+----------+
|        | DEBUG | Message2 |
|        +-------+----------+
|        |       | Message3 |
+--------+-------+----------+

Here's my search query:

  • | stats list(level), list(message) by trace
0 Karma
Reply

somesoni2
Revered Legend
‎09-24-2019 01:19 PM

Multiple level grouping (similar to merging columns in Excel) is not supported natively. For your requirement, try something like this:

..| stats list(message) by trace level

OR

...| eval Level_message=level."  ##  ".message | stats list(Level_message) by trace
Reply
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Get Updates on the Splunk Community!